b'                                                                   Issue Date\n                                                                            May 03, 2012\n                                                                   \xef\x80\xa0\n                                                                   Audit Report Number\n                                                                                2012-KC-0002\n\n\n\n\nTO:        Karen Newton Cole, Acting Chief Human Capital Officer, A\n\n           //signed//\nFROM:      Ronald J. Hosking, Regional Inspector General for Audit, 7AGA\n\nSUBJECT: HUD Did Not Implement Adequate Policies and Procedures for Sanitizing\n           Media in Its Multifunction Devices\n\n\n                                    HIGHLIGHTS\n\n What We Audited and Why\n\n             We audited the U.S. Department of Housing and Urban Development\xe2\x80\x99s (HUD)\n             Office of the Chief Human Capital Officer based on concerns about security risks\n             of hard drives in multifunction devices. Our objective was to determine whether\n             HUD had documented and implemented procedures to effectively remove\n             sensitive data from the hard drives of multifunction devices before disposing of\n             them.\n\n\n What We Found\n\n\n             HUD did not monitor or test the overwrite process for multifunction devices to\n             ensure that the process effectively sanitized data from multifunction device hard\n             drives. It also did not have a detailed plan in place to ensure proper sanitization\n             of the devices\xe2\x80\x99 hard drives before disposal.\n\x0cWhat We Recommend\n\n\n           We recommend that the Chief Human Capital Officer develop and implement a\n           plan to monitor and test HUD\xe2\x80\x99s overwrite process for hard drives on its\n           multifunction devices to ensure that the process is effective. We also recommend\n           that the Chief Human Capital Officer develop and implement a plan to ensure that\n           all sensitive data are effectively sanitized from the hard drives of its multifunction\n           devices before the they are disposed of.\n\n           For each recommendation without a management decision, please respond and\n           provide status reports in accordance with HUD Handbook 2000.06, REV-4.\n           Please furnish us copies of any correspondence or directives issued because of the\n           audit.\n\nAuditee\xe2\x80\x99s Response\n\n\n           HUD agreed with our finding and recommendations. We provided the draft\n           report to HUD on March 7, 2012 and requested a response by April 6, 2012. It\n           provided written comments on May 2, 2012.\n\n           The complete text of the auditee\xe2\x80\x99s response can be found in appendix A of this\n           report.\n\n\n\n\n                                              2\n\x0c                           TABLE OF CONTENTS\n\nBackground and Objective                                                     4\n\nResults of Audit\n      Finding : HUD Did Not Implement Adequate Policies and Procedures for   5\n                Sanitizing Media in Its Multifunction Devices\n\nScope and Methodology                                                        8\n\nInternal Controls                                                            9\n\nAppendix\n   A. Auditee Comments                                                       10\n   B. Criteria                                                               12\n\n\n\n\n                                           3\n\x0c                      BACKGROUND AND OBJECTIVE\n\nThe Office of the Chief Information Officer at the U.S. Department of Housing and Urban\nDevelopment (HUD) was established on December 1, 1998. HUD\xe2\x80\x99s Chief Information Officer\nreports to the Office of the HUD Secretary or Deputy Secretary and advises the Secretary,\nDeputy Secretary, and other HUD senior managers on the strategic use of information\ntechnology to support core business processes and achieve mission-critical goals. One of the\nOffice of the Chief Information Officer\xe2\x80\x99s primary responsibilities is to develop and implement\ninformation technology policy.\n\nThe Office of the Chief Human Capital Officer is led by the Chief Human Capital Officer. The\nChief Human Capital Officer is assisted by the Deputy Chief Human Capital Officer. They\nprovide overall policy and strategic direction for the Office, which is comprised of several\ncomponents. One of these is the Office of Facilities Management Services.\n\nThe Office of Facilities Management Services provides a diverse array of key support services to\nheadquarters and the field, including real and personal property management, fleet management,\nbuilding operations, energy and environmental management, headquarters transportation\nservices, lock and key services, parking management, telecommunications management, safety\nand health program management, records management, mail distribution and management,\nprinting and graphics services, and development and issuance of departmental policy for\nadministrative services. It is responsible for carrying out the Office of the Chief Information\nOfficer\xe2\x80\x99s information technology policies and procedures with regard to printing equipment.\n\nHUD headquarters is under a 5-year contract with Xerox for more than 300 multifunction\ndevices, which expires in March 2013. There are several different contracts for multifunction\ndevices in HUD\xe2\x80\x99s field offices, not all of which involve Xerox machines. HUD staff told us that\nno multifunction machines had been disposed of.\n\nOur audit objective was to determine whether HUD had documented and implemented\nprocedures to effectively remove sensitive data from the hard drives of multifunction devices\nbefore disposing of them.\n\n\n\n\n                                                4\n\x0c                                 RESULTS OF AUDIT\n\nFinding:       HUD Did Not Implement Adequate Policies and Procedures\n               for Sanitizing Media in Its Multifunction Devices\nHUD did not monitor or test the overwrite process for its multifunction devices and did not have\na detailed plan in place to ensure proper sanitization of the devices\xe2\x80\x99 hard drives before disposal.\nThis condition occurred because HUD staff in the Office of the Chief Human Capital Officer\ndisagreed with the Office of the Chief Information Officer over which office was responsible for\nensuring its hard drives were properly sanitized. As a result, HUD could not be assured that its\noverwrite process effectively removed data from the hard drives, and sensitive data could be at\nrisk.\n\n\n\n HUD Did Not Monitor or Test\n the Overwrite Process\n\n               HUD did not implement policies and procedures for media sanitization. It did not\n               monitor or test the overwrite process for its multifunction devices to ensure that\n               the process effectively sanitized data from its multifunction device hard drives.\n               The Office of the Chief Information Officer had written policies and procedures\n               stating that HUD was required to\n\n               \xef\x82\xb7       Sanitize all information system media before disposal or release for reuse;\n               \xef\x82\xb7       Track, document, and verify media sanitization actions; and\n               \xef\x82\xb7       Periodically test sanitization equipment and procedures to ensure correct\n                       performance.\n\n               HUD and information systems contractor staff told us that the hard drives in the\n               multifunction devices were overwritten every night and that the overwrite process\n               removed all of the data from the hard drives. The overwrite process was set up at\n               the time the machines were installed, and each machine printed out a report every\n               morning stating whether the overwrite process was successful. There was no\n               process in place to use the reports for monitoring the overwrite process, and the\n               machines were about to begin the last year of a 5-year contract that expires on\n               March 6, 2013.\n\n               HUD\xe2\x80\x99s Xerox representative told us that to be most efficient, the machines should\n               be set to immediately overwrite each job after it completes. The Xerox\n               representative also told us that the machines can be overwritten on demand, using\n               a menu on the machine but that HUD cannot wait until the day the leased\n               machines go back to Xerox to perform this function. The overwrite process takes\n               20-30 minutes to complete and is not always successful the first time. Therefore\n\n\n                                                 5\n\x0c           it could take twice that long to overwrite the machine, which is not feasible while\n           machines are being switched out.\n\n           The Xerox representative gave an example of a customer with 147 machines, who\n           tried to overwrite them as they left the facility. The Xerox representative said that\n           the operation was a nightmare and ultimately unsuccessful because all of the\n           machine hard drives were not overwritten. HUD has nearly 300 machines in\n           headquarters on one contract.\n\n           HUD recently changed the settings on the machines as a result of our audit work.\n           HUD\xe2\x80\x99s information technology contractor set the overwrite process to be performed\n           after each job in addition to the nightly overwrite process. The immediate overwrite\n           function was recommended by the Xerox representative; however, HUD had not\n           tested the overwrite process and could not be assured that it effectively removed data\n           from the hard drives.\n\n\n\nHUD Did Not Have a Detailed\nDisposal Plan in Place\n\n           HUD did not have a detailed plan in place to ensure proper sanitization of the\n           devices\xe2\x80\x99 hard drives before disposal. HUD staff had researched what options were\n           available and had discussed the options internally, but did not finalize a plan for\n           disposing of the hard drives at the end of the lease. The HUD staff we spoke with\n           generally agreed that the best way to secure the data on multifunction hard drives is\n           to retain the hard drives at the end of the lease and have them physically destroyed\n           by shredding them. However, no official decision had been made on how to handle\n           the hard drives at the end of the lease.\n\n           Retaining the hard drives is the most expensive way to secure the data. Xerox\n           officials told us that the hard drives cost about $350 each and that a few of the\n           more complex machines contained two hard drives. They said that this cost\n           would be in addition to the cost of the contract. The cost of the shredding process\n           is also not included in the contract. HUD staff told us that HUD did not have the\n           proper equipment to shred the hard drives and a contractor would have to be hired\n           to perform the function.\n\n\n\nHUD Staff Disagreed Over\nResponsibilities\n\n           HUD staff in the Office of the Chief Human Capital Officer disagreed with the\n           Office of the Chief Information Officer over which office was responsible for\n           monitoring, testing, and sanitation of data. One of the primary responsibilities of\n\n\n\n                                             6\n\x0c           the Office of the Chief Information Officer is to develop and implement\n           information technology policy; however, it is up to the Office of the Chief Human\n           Capital Officer to carry out the policy because it is responsible for managing the\n           multifunction machines.\n\n\n  Sensitive Information Could Be\n  at Risk\n\n           HUD could not be assured that its overwrite process effectively removed data\n           from its hard drives, and sensitive data could be at risk. HUD did not monitor the\n           nightly overwrite process, but even if the process was successful, data could be on\n           the devices the day they are taken out of service because print, fax, copy, and scan\n           jobs may be performed the same day the machine is returned to Xerox. HUD\n           needs to develop and implement a disposal plan for the machines to ensure that\n           they are not returned with sensitive information on the hard drives.\n\nRecommendations\n\n\n\n           We recommend that the Chief Human Capital Officer work with the Chief\n           Information Officer to\n\n           1A. Develop and implement a plan to monitor and test HUD\xe2\x80\x99s overwrite process\n               for hard drives on its multifunction devices to ensure that the process is\n               effective.\n\n           1B. Develop and implement a plan to ensure that all sensitive data are effectively\n               removed from the hard drives of its multifunction devices before they are\n               disposed of.\n\n\n\n\n                                            7\n\x0c                         SCOPE AND METHODOLOGY\n\nOur review generally covered the period October 1, 2009, through September 30, 2011. We\nperformed onsite work from November 2011 through January 2012 at HUD headquarters at 451 7th\nStreet Southwest, Washington, DC.\n\nTo accomplish the audit objective, we\n\n   \xef\x82\xb7   Reviewed HUD\xe2\x80\x99s handbooks and information technology security procedures.\n   \xef\x82\xb7   Reviewed the National Institute of Standards and Technology\xe2\x80\x99s Recommended Security\n       Controls for Federal Information Systems and Organizations.\n   \xef\x82\xb7   Reviewed the Code of Federal Regulations.\n   \xef\x82\xb7   Reviewed HUD\xe2\x80\x99s contract for multifunction devices.\n   \xef\x82\xb7   Conducted interviews with staff from HUD\xe2\x80\x99s Office of the Chief Information Officer,\n       Office of the Chief Human Capital Officer, and information technology contractor and\n       representatives from the Xerox Corporation.\n\nWe did not use or rely on computer-processed data to support our audit conclusions. In addition,\nwe did not perform testing on the multifunction device hard drives.\n\nWe conducted the audit in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjective. We believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions based on our audit objective.\n\n\n\n\n                                               8\n\x0c                              INTERNAL CONTROLS\n\nInternal control is a process adopted by those charged with governance and management,\ndesigned to provide reasonable assurance about the achievement of the organization\xe2\x80\x99s mission,\ngoals, and objectives with regard to\n\n   \xef\x82\xb7   Effectiveness and efficiency of operations,\n   \xef\x82\xb7   Reliability of financial reporting, and\n   \xef\x82\xb7   Compliance with applicable laws and regulations.\n\nInternal controls comprise the plans, policies, methods, and procedures used to meet the\norganization\xe2\x80\x99s mission, goals, and objectives. Internal controls include the processes and\nprocedures for planning, organizing, directing, and controlling program operations as well as the\nsystems for measuring, reporting, and monitoring program performance.\n\n\n\n Relevant Internal Controls\n               We determined that the following internal controls were relevant to our audit\n               objective:\n\n                   \xef\x82\xb7   Controls to ensure compliance with the Office of the Chief Information\n                       Officer\xe2\x80\x99s policies and procedures for media sanitization.\n                   \xef\x82\xb7   Controls for sanitizing sensitive data when disposing of multifunction\n                       devices.\n\n               We assessed the relevant controls identified above.\n\n               A deficiency in internal control exists when the design or operation of a control does\n               not allow management or employees, in the normal course of performing their\n               assigned functions, the reasonable opportunity to prevent, detect, or correct (1)\n               impairments to effectiveness or efficiency of operations, (2) misstatements in\n               financial or performance information, or (3) violations of laws and regulations on a\n               timely basis.\n\n Significant Deficiencies\n               Based on our review, we believe that the following items are significant deficiencies:\n\n               \xef\x82\xb7       HUD did not have controls in place to ensure that it complied with testing\n                       and monitoring requirements for the overwrite process for its multifunction\n                       devices.\n               \xef\x82\xb7       HUD did not have controls in place to ensure that it had a sanitization plan\n                       for the multifunction devices before disposal.\n\n\n                                                 9\n\x0c                APPENDIXES\n\nAppendix A\n\n             AUDITEE COMMENTS\n\n\n\n\n                    10\n\x0c11\n\x0cAppendix B\n\n                                        CRITERIA\n\n\nHUD Handbook 2400.25, REV-2, CHG-1, section 4.7.6, states that HUD must:\n  \xef\x82\xb7 Sanitize information system media, both digital and non-digital, prior to disposal or\n     release for reuse.\n  \xef\x82\xb7 Track, document, and verify media sanitization actions.\n  \xef\x82\xb7 Periodically test sanitization equipment and procedures to ensure correct performance.\n\nHUD Handbook 2400.25, REV-2, CHG-1, section 4.7.6, also states that program offices and\nsystem owners shall ensure that any sensitive information stored on media that will be surplused\nor returned to the manufacturer shall be purged from the media before disposal.\n\n\n\n\n                                               12\n\x0c'